Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 13:53

General

  • Target

    a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe

  • Size

    2.6MB

  • MD5

    de0b5782de12cab93f8325f9473888ee

  • SHA1

    83b4ba6493642200f175d76bb53659eeedd6dba6

  • SHA256

    a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7

  • SHA512

    21012aefb971bf05b5090f74375bb436d1294f227662efe661dededd5355d381f7f26195abc28db6f96b5d0dfbf27206aca5383b54c6111ffd225a3992f04341

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCzB/bSm:sxX7QnxrloE5dpUpfNb3

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
    "C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2016
    • C:\UserDot8Q\devbodec.exe
      C:\UserDot8Q\devbodec.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintWE\bodxloc.exe

    Filesize

    2.6MB

    MD5

    fc908d4feb76b3359bdcf5d2fcdab4a6

    SHA1

    cb176e532916e63ffeca20ff1347e48e25a869d1

    SHA256

    71ad0d29720f8cd577decd05bfe8afcc4d38954895873f6f7d799581e322b305

    SHA512

    3ed8f5ceb0ddef5d4535d3bea254ce701679ad9a7e0bb77b3ff58001a735cf113138f65c1a5f167f3705fff6f432bef03628b7a33c75d651e2b83d8c2dd4312f

  • C:\MintWE\bodxloc.exe

    Filesize

    2.6MB

    MD5

    64a7f49f5b5066cad879738fa461cbba

    SHA1

    da40a4efb8861113438dbb64e2b9a9424063777f

    SHA256

    9849455f6cc7cc7d6c5d7a4a0de8f2c40774ed6b0ebfd7a5b1820b0264303837

    SHA512

    b2948c6873f7554e664d7e782c2bb9e32863fc94f8360c21242a861a09bdd09602be198f6ad1dc6278dcbb5ecd9cdc2db1a610c2175c199ba3b05648f9beaafb

  • C:\UserDot8Q\devbodec.exe

    Filesize

    2.6MB

    MD5

    bb608717f32d2778266ec4f5686271b5

    SHA1

    1a7b03186ab57417cba273e4bf48278f08954553

    SHA256

    a860d08a8fdbbdb124eae6f71e703110cba5f62a9560836ef953f6ff7b8763b7

    SHA512

    a0804185d4a8d996f2e1373a7abdb046742909154e310ef9d8976267ae5d66d3f8802e4c58987d96d4c74fd430bf6d84bdf5d55c7596162e7c4c6a15bfa9cc70

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    173B

    MD5

    76cd0da93c16f75f54f87495e33bf14c

    SHA1

    6a60026f16c8399ac354edcc9a04c47a47147aa3

    SHA256

    3f578b3c4a32112216e4ce6735c49c50d5fc184acdb3a4428dd82ba051e4bce9

    SHA512

    60322a2b7ce6686aa89bc0e574e6a63bf1af4aec3806ca35f38db21c08f041aba9aa10621951f97c824b54b76477906b73d41e7726886378d664b5e691298c63

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    205B

    MD5

    8747ff0a41173d9f1d778815e79ccd4c

    SHA1

    086e66576a87a205ddfdc267b60df5fc46b6e4af

    SHA256

    1f99f9f216a790637f6e71c178668752c34e118d8b8e149494c849a650392cc7

    SHA512

    31066b0b57da75dec741f3bda11347af13617bf51b5718918423cdb721a040e09ead8c9426d9dd7c179324c581be4310bcb3299d5fd038775314b61a606adae4

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe

    Filesize

    2.6MB

    MD5

    5e038e3b54da32e5c2fec052224d0cf8

    SHA1

    7dfadd45b28bf7d0ef16ac088443ea2c682a963e

    SHA256

    1b3c438e3da10868f9517a5ae3badccc8df2d960b5af82f735a3926e6e302927

    SHA512

    aa142f7ae58b64099fd54e58d90a251a10818b1603e2cacf09554876d7f8b0bfcc71024fe00bbf14b55574ac951cad4ca29a23adbe09a0f19a1944f3206f7026